Several customers of Canada Computers have reported suspected payment card data theft following purchases made on the company’s website. While details are still emerging, public reports highlight a growing risk facing all ecommerce businesses: online card skimming.
In a post titled “Canada Computers online card skimmer” on the Build a PC Canada subreddit, a user described discovering a malicious client-side script embedded in the website’s checkout flow. The script was reportedly identified while inspecting the page using browser developer tools. At the time of writing, it remains unclear whether the same behavior affects the retailer’s mobile application.
According to the report, the script behaved consistently with a Magecart-style digital skimmer: a class of attacks designed to silently capture payment data during online transactions.
The Threat: Digital Card Skimming in Action
Unlike physical card skimming, which relies on tampered hardware at ATMs or point-of-sale terminals, digital card skimming operates invisibly inside ecommerce websites.
In this case, the reported malicious JavaScript allegedly:
Hooked into checkout form fields
Monitored keystrokes and form submissions
Performed basic validation on entered data
Exfiltrated the information to an attacker-controlled endpoint
The data reportedly captured included full payment card details and associated personally identifiable information (PII), such as:
Card number (PAN), CVV, and expiration date
Cardholder name
Billing address, city, province, and postal code
Phone number and email address
The authenticated customer account identifier
The individual reporting the issue stated that two support tickets were submitted to the retailer and later closed without resolution, prompting public disclosure to warn other customers. The activity was first observed on January 18th, 2026 during a live purchase with developer tools enabled.
The Dangers of Digital Skimming
Digital card skimming is difficult to detect and highly scalable. Once malicious code is injected, often through compromised third-party scripts or integrations, it can silently harvest data from every customer who checks out.
Because the skimmer operates client-side and blends into legitimate site functionality, some infections persist for months or even years before being discovered. By then, the impact can include:
Widespread payment card fraud
Loss of customer trust
Regulatory exposure and compliance fallout
Brand damage that extends far beyond the initial incident
How Digital Card Skimming Works
At a high level, digital skimming attacks follow a predictable pattern:
Malicious code is injected into an ecommerce site or third-party dependency
Customers enter payment information during checkout
The skimmer silently copies that data in real time
Stolen data is transmitted to the attacker
Because many ecommerce platforms rely heavily on third-party services (such as payment widgets, analytics tools, and shopping cart software) attackers often compromise suppliers first, then let the infection spread downstream.
What Consumers Can Do to Reduce Risk
While consumers can’t control how merchant sites are secured, they can reduce exposure by practicing good digital hygiene:
Pay attention to browser security warnings
Be cautious of unexpected pop-ups or abnormal checkout behavior
Use strong, unique passwords across accounts
Enable transaction alerts for payment cards
Limit online purchases to a dedicated card where possible
These steps won’t prevent breaches; however, they can limit the blast radius if one occurs.
What Businesses Can Do to Protect Customers and Revenue
For organizations, defending against digital card skimming requires continuous vigilance, not one-time fixes.
Effective protection includes:
Keeping ecommerce platforms and dependencies fully up to date
Encrypting all data in transit
Minimizing the collection and storage of sensitive customer data
Thoroughly vetting and monitoring third-party scripts and vendors
Regularly reviewing source code and production changes
Because these attacks often exploit subtle, unauthorized changes, many organizations now rely on automated detection and monitoring to identify anomalies across their sites and supply chains before attackers can scale their impact.
Conclusion
The Canada Computers reports are a reminder that digital card skimming is not a niche threat. It’s a persistent risk for any organization that processes online payments.
For businesses, the goal is protecting customers, preserving trust, and ensuring that checkout remains a point of confidence, not compromise.
Understanding how these attacks work is the first step toward stopping them.
